25 November 2016

Census Gluepots

Interested in the litres of glue used in the 2016 Census? There is data in Review of the Events Surrounding the 2016 eCensus - Improving institutional cyber security culture and practices across the Australian government, the self-indulgent report by the Office of the Cyber Security Special Advisor.

The report should be construed through reference to the ambitions of the Advisor's office (and that of the Digital Transformation Agency) and the historic incapacity of the Office of the Australian Information Commissioner. Recommendations for example that the OAIC be passed the ball provoke some wariness given the unwillingness of either the Coalition or the ALP to both adequately fund that agency and to foster a positive approach to privacy protection. Buzzwords such as 'new paradigms' need to be substantiated.

The report states

The Australian Government’s new paradigm of online engagement and services for Australians is not
coming. It’s already here.

Government’s response to the eCensus events of 9 August 2016 provides an opportunity to change
the conversation about cyber security: to one of trust and confidence in the government’s digital
transformation agenda, where ‘digital first’ is the overwhelming preference for Australians,
underpinned by tangible security and adherence to privacy.

The 2016 eCensus tells us that more of the same is not enough: there is a new imperative to
embrace cyber security as a core platform for digital transformation. And when we make the
necessary changes we will increase the chance to deliver on the promise of Australia’s Cyber Security
Strategy, to strengthen trust online and better realise Australia’s digital potential.
Much of the Government’s dealings with Australians now takes place online, and this trend will only
accelerate. But because this world is new, some disruption is bound to occur as culture shifts. And
setbacks are inevitable.

The 2016 eCensus was a setback. One of the government’s most respected agencies – the Australian
Bureau of Statistics (the ABS) – working in collaboration with one of the technical world’s most
experienced companies – IBM – couldn’t handle a predictable problem.

As a result, a key national event trended online globally as #CensusFail – a serious blow to public
confidence in the Government’s ability to deliver on public expectations.

While the media proclaimed the usual “cyber attack”, this cyber security issue was, unusually, not a
matter of national security. Instead, it was a clear demonstration of the broader impacts – and
relevance – of cyber security on Australian society.

The ABS often cites “Australia’s largest peacetime logistical operation” and its proud history of 100
years of conducting censuses for Australians. The scale of the Census is immense and it touches the
lives of all Australians. And in 2016 it worked hard to get more Australians to participate online. But
this part of the Census represented significant risk.

In perspective, at around $9.6m – a fraction of the $471m overall spend on the Census – the
payment to IBM to deliver the eCensus capability was small. Certainly the sum was small to IBM:
between 1 January 2013 and 19 August 2016 IBM was awarded 777 contracts across the
Commonwealth Government with a total value of $1.55 billion ($13.7m of which was with the ABS).
But cost isn’t the only issue. Nor the most important one. Australia now knows that cyber security is
not just about national security. Cyber security is about availability of services and confidence in
government in a digital age. And the public’s confidence in the ability of government to deliver took
a serious blow, more so than any previous IT failure.

Even though the denial of service attacks on the night were predictable and defeatable, the decision
to close off the eCensus was justified and no data were lost. The outcome could have been worse.
But crucially important is the need to understand how the Census got to the point where the cyber
security arrangements brought into question the trust and confidence in a fundamental government
service. The public’s lack of confidence will linger. The integrity of the collection and its data are of
critical value to Australia.

Looking at the issue and its impact through the cyber security lens, lessons are clear: about
managing risk, about security in a digital age and about Australia’s digital future.

Crisis communications and coordination

The nature of the eCensus event, its national implications and the breadth of consequences of
something going wrong were clearly underestimated in crisis planning. While the ABS and IBM had a
library of incident management documents to guide them through the events of 9 August, they were
impractical, poorly tested and none outlined a comprehensive cyber incident response or
communications plan that could be effectively implemented.

Further, whole of government cyber security incident management arrangements did not link the
affected agency with support mechanisms, leading to sub-optimal communication with Ministers
and the public. Escalation thresholds were not clear, nor were obligations and coordination
mechanisms across agencies.

The impacts of cyber security events are not well understood. There is not a shared understanding
across government, and a well-defined lexicon does not exist. A whole of government approach to
resilience is required, and regular exercising of crisis arrangements will be critical.

Security is a risky business…

The ABS’s problems on the night of 9 August stem from decisions taken well before then: decisions
about partnership, procurement and project governance. Organisational culture and skills also
played a part.

Security architecture

No system connected to the Internet can have guaranteed security. But as more government
services move online, project managers will need to address security and respond to security
incidents as critical business risks.

The distributed denial of service (DDoS) protections for the eCensus were inadequate, yet were
called for in the ABS sole-sourced request for tender (RFT) and written into the contract with IBM.
DDoS was a foreseeable threat, and more robust security planning would have led to a different
outcome. Controls were not considered within a comprehensive security framework; risk
assessments underestimated the consequences of security incidents, leading to insufficient focus on
mitigations; and there was poor independent assessment or verification of security arrangements.
ABS and IBM emphasised some areas of security – the confidentiality and integrity of data – while
underinvesting in the availability of the system.

The exchanges between the ABS, the Australian Signals Directorate (ASD) and IBM also suggest a
lack of clarity in capacity, roles and responsibility for cyber security across government and with
contracted service providers. Agencies look to ASD for advice to provide assurance; this may lead to
a false sense of confidence. ASD endeavour to provide comprehensive advice and assistance.
However, ASD’s ability to provide an integrated assessment will be limited by their available
resources and the time available to address the request. ASD have outstanding expertise for
supporting agencies, but not the capacity to service the clear need across government. A new
approach is needed for agencies to meet Australians’ expectations of a modern digital government.

Protecting Australians’ privacy

The DDoS attack against the eCensus system did not include the compromise of personal
information of Australians. In fact, the ABS’s decision to shut the eCensus website on 9 August was a
privacy-protective measure.

However, the closure of the website appears to have amplified existing community concerns about
security and privacy in relation to the Census; concerns which originated from an ABS decision to
retain names and addresses for up to four years in Census 2016, in combination with the move to
‘digital first’. There is more that the ABS can do to improve its practices, from external scrutiny to
enhanced public engagement on privacy issues. All agencies can learn from the ABS’s experience.

Not just communications, but engagement…

In most respects, the ABS had a well formed and prepared communications strategy and awareness
raising campaign; but it was focussed on the wrong things. The communications problem they
needed to address was not a low level of awareness of the Census, but rather, the introduction of a
‘digital first’ approach and the associated barriers to participation – concerns over security and
privacy.

The ABS failed to adapt its media and communications in response to the public relations storm that
built up in the weeks prior to the Census regarding privacy and security in both mainstream and
social media. Instead, ABS rigidly stuck to its plans, forgoing crucial opportunities to influence and drive the conversation around the Census. Processes for approval of campaigns, and changes to them, may need to be changed to promote agility.

On Census night, the ABS severely underutilised social media as a communications tool to keep the
public up to date and informed of the incident. The ABS’s lack of timely and transparent
communications lost it trust because it opened the door to speculation. The continued slow updates
and virtual absence from the media meant that ABS struggled to win back the trust of the public in
the following days. Ministers must also be supported with clear and accurate advice, and senior
executives must be equipped to understand and talk about cyber security as a matter of business
risk.

Procurement, contracting and governance

Procurement practices fell short. Vendor lock-in, coupled with a particularly close and trusting
relationship between the ABS and its long-term supplier IBM, meant that the ABS did not seek
sufficient independent verification and oversight of critical aspects of the eCensus. Documentation
suggests that there was compliance – risk matrices completed, committee meetings held, minutes
taken – but the security culture was not resilient and adaptable. The ABS and IBM had delivered
eCensus services for the 2006 and 2011 Censuses as well, the latter with a third of the population
utilising the online form. Why should 2016 be any different?

The risk appetite of the ABS was not clearly defined: harm and consequence assessment appeared
underestimated – particularly associated with security risks to the eCensus – leading to
unsatisfactory risk mitigation strategies.

A lesson in culture

Culture matters. And the culture of the ABS identified by the Australian Public Service Commission
(APSC) Capability Review in 2013 — insular, inward looking, reactive — affected decisions and
performance as the ABS planned and carried out the 2016 Census. Moreover, its reliance on past
patterns to guide future strategies doesn’t work.

The prevailing culture can be identified in actions and decisions taken to prepare for the 2016
Census that date back to June 2012. Many seem innocuous, and almost all are compliant with
established government practice. In many ways, the ABS is seen as an exemplar of established
government practice: ticking the boxes, but not appreciating the challenges change presents.
There is no doubt that the preparations for the 2016 Census occurred during a complex time for the
ABS. They were without a substantive Australian Statistician for most of 2014. However, it is clear
that the ABS’s culture clearly contributed to the outcomes on Census Night. The ABS’s actions since
only underscores the importance of culture: it has steadfastly refused to own the issue and
acknowledge responsibility for the factors leading to the events and shortcomings in the handling of
events on the night.

Over the last few years the ABS has devoted energy and resources to aggressively address the
cultural issues highlighted in the APSC Capability Review. The ABS must draw upon the lessons it
takes from the Census experience to help guide and advocate the cultural change path it is following.

Integrity of the Census

The Census outages prevented Australians from filling in forms online for almost 43 hours. This not
only precluded online responses during the outages, but also likely reduced online responses over
subsequent days due to confusion about security and the status of the eCensus. Considerable catch
up then followed and many more Australians than planned turned to paper forms.

58 per cent of households participated online, up from 33 per cent for the 2011 Census. But ahead
of the Census, the ABS had expected that 65 per cent of households would participate online. 2016
online return rates did not reach what were expected or desired.

Short delays in response do not impact on data quality. Many more households than usual not
completing the Census by the end of the data-collection period would reduce quality.
The Census response rate, a critical indicator of quality, is estimated to be over 96 per cent. At this
stage, it is unclear if the target rate of 96.5 per cent will be met. This target is based on the rate
achieved in the 2011 Census.

A more granular assessment of Census quality will not be available until data has been processed,
which will be completed by March 2017. Other indicators of data quality, such as refusals and item
non-response rates, are likely to be comparable to, or better than, outcomes in the 2011 Census.
Unaware of these encouraging signs, post-Census surveys of public attitudes towards the 2016
Census find that many Australians believe that the data collected is unreliable. The latest Survey
found that:
• 42 per cent agreed, to some extent, that this year’s Census has been a failure; and
• 33 per cent agreed, to some extent, that the data collected from this year’s Census are
unreliable.

For the Census to be fit-for-purpose, the users of the statistics, and the public more generally, need
to see the Census as credible. This credibility is to ensure that Census statistics are used for their
intended purpose and that the public continues to provide quality responses to future Censuses.

Cyber Security for Australia’s Digital Future

The ABS’s experience provides insight into agencies’ ability to operate in a digital age. Unpacking the
incident, the scope is broad-ranging: issues facing the ABS included dealing with privacy issues in a
dynamic technology environment, while adapting communications to new forms of online media.
The ABS did not look at alternate service options, such as cloud service provision. Cloud computing
can offer significant security, cost and efficiency benefits, but the ABS’s interpretation of privacy
obligations of the Census and Statistics Act, and a lack of maturity in cloud service offerings at the
time the contract was established, impeded take-up of cloud services which were limited to serving
static content. There are likely similar barriers to cloud take up across government.

Digital awareness, including security risks and consequences, needs to be a core part of toolkits to
deliver services in a modern online economy, where the needs and expectations of the community
rapidly evolve. Small agencies such as the ABS are probably ill-equipped to deliver technology
outcomes of scale.

The August 2015 review on ‘Learning from Failure’, by Professor Peter Shergold AC, called for more
adaptive government and enhanced responsibility and accountability for program management.
There are opportunities to adopt learnings from the eCensus incident in Phase Two of the
government’s Digital Transformation Agenda: security must be ‘baked in’ to design and delivery.
Government can develop a more ‘shared service’ consultancy approach to cyber security to boost
agency capacity.

So what now…

The ABS is likely not alone. Agencies need to transform their thinking to support a truly digital
engagement with Australians. And cyber security and privacy was shown to be critical to the
confidence of Australians in the online services delivered by government, and therefore in
government itself.

While the eCensus delivery was a single technical project, it was also a step toward the
government’s future digital services agenda. And the setback the Census suffered must lead to a
significant mindset shift that all agencies will need to make: digital disruption of their own service
delivery.

All agencies must learn from the ABS’s experience. This report contains:
• actions to improve the fundamentals supporting the transformation to secure onlinegovernment;
• improvements to the ABS approach to technology risk, procurement and governance;
• better practice recommendations for agencies as they make the transformation to online
government.

The report features the following Summary of Recommendations

• Crisis Communications and Coordination: The Department of the Prime Minister and Cabinet
should strengthen cyber security incident management arrangements across government and
ensure the policy is widely circulated, well understood and regularly exercised. This includes:

o ensuring effective crisis incident notification and coordination arrangements across
Australian Cyber Security Centre agencies and between the Australian Cyber Security
Centre, the Crisis Coordination Centre and the Department of the Prime Minister and
Cabinet;

• Education: The Attorney-General’s Department should develop a “Cyber Bootcamp” for senior
government executives and Ministers as part of the Cyber Security Strategy Awareness program.
The Bootcamp would educate participants about cyber security fundamentals and how to talk
about issues with the public and be aligned to Data61’s work with the Australian Institute of
Company Directors.

• Security Framework: The Australian Signals Directorate should strengthen the framework to
help agencies improve the security of their networks:
o update the Information Security Manual about security measures to protect the
availability of online services;
o in collaboration with the Digital Transformation Agency, lead a ‘sprint’ to lift agency
capabilities to protect against denial of service attacks; this should provide a pilot model
for future ‘sprints’ to build cyber security capacity across the Commonwealth;
o develop and implement a security framework for high-risk online essential services and
special events, to complement the high risk agency security framework identified in the
Cyber Security Strategy; and
o review its model for prioritisation and proactive engagement with agencies to provide
cyber security support and develop a service catalogue of offerings to ensure clear
understanding of capabilities; this may require additional resources to achieve. The
Australian Signals Directorate should come back to government with a plan coordinated
with the Cyber Security Special Adviser.

• Creating a Positive Risk Culture: The Department of Finance should assist agencies to actively
engage with cyber security risk by developing:
o guidance for managing risk in ICT and cyber security outsourcing; and
o a strategy to accelerate government to improve agency understanding and uptake of
secure cloud services and hasten cloud certification to PROTECTED (potentially modelled
on the US FedRAMP program). This would require additional resources for the Australian
Signals Directorate for accreditation services. The Australian Signals Directorate should
come back to government with a plan coordinated with the Cyber Security Special
Adviser.

• Embracing Adaptive Government: The Department of the Prime Minister and Cabinet’s ICT
Procurement Taskforce should consider the ABS eCensus procurement process as a case study
on the barriers and opportunities to delivering better ICT outcomes. This should include
developing a more agile approach to market testing and contracting options, ICT procurement
skills and outsourcing oversight arrangements.

• Cyber Security in a Digital First World: The Digital Transformation Agency, in partnership with
the Australian Signals Directorate and the Department of Finance, should:

o develop a proposal for consideration by the Digital Transformation Committee of
Cabinet to create a “cyber security shared services” digital security consulting
organisation within the Digital Transformation Agency. This would ensure security is
integral to all new online service delivery proposals and facilitate partnering between
agencies to draw on cyber security expertise in larger agencies with more mature
capabilities.

o consider how to strengthen central governance and assurance, and this ownership may
no longer logically sit with ASD, given their broader portfolio of responsibilities.

o identify capable agencies and accredit them to deliver shared services for citizen-facing
projects where, for higher risk online delivery programs, smaller agencies must partner
with (or source their ICT project management from) an identified lead agency or through
a core service such as GovCMS.

Recommendations for the Australian Bureau of Statistics

• The ABS should engage an independent security consultant for a wide-ranging examination of all
aspects of their information collection and storage relating to Census data – from web
application through to infrastructure and policies and procedures.

• The ABS should ensure future significant changes to personal information handling practices are
subject to an independently-conducted privacy impact assessment and are supported by broad
ranging consultation.

• The ABS should adopt a privacy management plan to enhance its capability to identify and
manage new privacy issues.

• The ABS should assess and enhance existing ABS privacy training for staff.

• The ABS should develop a specific strategy to remove the current state of vendor lock-in.
• The ABS should strengthen its approach to outsourced ICT supplier performance management to
ensure greater oversight and accountability.

• The ABS should draw upon the lessons it takes from the Census experience to help to guide and
to advocate for the cultural change path it is following.

• The ABS’s decision in August to assemble an independent panel to provide assurance and
transparency of Census quality is supported and the resulting report should be made public.

• The ABS should implement a targeted communication strategy to address public perceptions
about Census data quality.
The ABS should report monthly to their Minister outlining progress against the above
recommendations.

Better Practice Guidance for Agencies:

• Agencies should review their approach to cyber security incident response planning and
coordination and exercising of those plans with stakeholders.

• Agencies should test security measures and monitoring systems for online government services
under foreseeable adverse conditions, including under attack conditions.

• Agencies should be conscious of updated interpretations of governing legislation to addressing
the changing technological environment. Agencies should review their oversight and assurance
arrangements for outsourced cyber security services.

• The Office of the Australian Information Commissioner has recommended the government
develop an APS-wide Privacy Code in collaboration with the Office. The Code should address
privacy and security risks by requiring all agencies to:

o have an up-to-date privacy management plan

o appoint dedicated privacy contact officers

o appoint ‘Privacy Champions’

o undertake written Privacy Impact Assessments where relevant, and

o take steps to enhance internal privacy capability.

(13,500 litres of glue but alas, no data on the amount of coffee consumed or Red Bull purchased by coders.)

Copyright & Liability

Statements in this blog are my own, rather than that of the University of Canberra.

The text and images are protected under Australian and international copyright and trade mark law. The blog does not represent legal advice. It is for informational purposes only; publication does not create an attorney-client relationship and nothing on this blog constitutes a solicitation for business.

The author pleads guilty to charges of irreverence, irony, indignation and honestly-held opinion.